Privacy Notice - Customers and marketing

Respect for the privacy of the individual is important to us at Billogram and we work proactively to protect the personal data that we process. All personal data is processed in accordance with the GDPR and other applicable data protection legislations. This document contains information about how we as a data controller process personal data when you or your company are a customer of ours, when you use our service, and in our marketing and sales processes.

In this document, we describe how and for what purposes we process your personal data, the lawful basis for the processing and what measures we take to protect personal data. We also describe how you can invoke your rights in regards to our processing of your personal data.

Who is responsible for the processing?

Data controller is Billogram AB (corporate registration number 556801-7155), headquartered at Klara Södra Kyrkogata 1, SE-111 52 Stockholm, Sweden.

If you have questions about how we process your personal data or wish to invoke any of your rights, you can always contact us at support@billogram.com

General information about our personal data processing

In this section, we describe general principles governing our personal data processing and how we meet the requirements imposed on us when we process your personal data.

Lawful basis

According to the GDPR, the controller must have a lawful basis for the processing of personal data. We base the processing of your personal data on the following lawful grounds:

Consent – You have given your explicit consent that we may process your personal data. You may withdraw your consent at any time and we will then cease processing your personal data for the purpose to which you have given your consent.

Contract – The processing is necessary for us to be able to perform a contract we have with you or to be able to enter into such a contract.

Legal obligation – The processing of your personal data is necessary for us to meet the legal requirements imposed on us.

Legitimate interests – We have undertaken a legitimate interest assessment and determined that our interests in processing your personal data outweigh your right not to be covered by the processing.

For how long do we store your personal data?

We save your personal data only for as long as is necessary for the purpose for which it was collected. Depending on the lawful basis, the storage period may be governed by a contract, be dependent on valid consent, be prescribed by law or follow from an internal legitimate interest assessment. In the section “How your personal data is processed” below, we specify the criteria for when the purpose ceases and thus the time when we no longer process your data

When we share your personal data with others

We may share your personal data with others in order for us to perform any of the processing operations described in this document, for example for the storage of data. We always enter into Data processing agreements with the data processors we use in which we, among other things, give the processor instructions on how the personal data may be processed and the security measures required for the processing. The processor may not carry out any processing of your personal data that goes beyond these instructions.

If required by law, decree, regulation, government decision or other ruling binding on Billogram, we may disclose your personal data to various authorities, such as the Swedish Tax Agency or the Swedish Police Authority.

Transfer of personal data outside the EU/EEA

In case of personal data transfers to countries outside the EU/EEA, we implement safety measures to ensure that the level of security is adequate and in accordance with the GDPR Such appropriate safety measures include, inter alia, ensuring the following:

– The European Commission has decided that the third country to which your personal data is transferred achieves an adequate level of protection, in other words, that the protection of your personal data is equivalent to the requirements in the GDPR,or

– The European Commission’s standard contractual clauses have been signed between Billogram or its processors, as applicable, and the recipient outside the EU/EEA, meaning that we have entered into an agreement with the processor to ensure that your personal data is protected in accordance with the GDPR. In these cases, we also assess whether there is legislation in the recipient country that affects the protection of your personal data. Where necessary, we take special measures to ensure that the protection of your data remains in place when transferring it to the relevant country outside the EU/EEA.

About automated decisions

“Automated decisions” means that certain decisions, having a significant effect on you, are completely automated, without any employees being involved.

When processing your personal data, Billogram does not perform any automated decisions.

About profiling

“Profiling” means an automated processing of personal data to evaluate certain personal characteristics and behaviors, for example, by analysing or predicting personal preferences.

We use profiling to deliver customised marketing to you across different types of platforms, both our own and external services. For more information about this processing, please see the purpose “To promote our billing service” in the section “Marketing” below.

About cookies

Cookies are small pieces of text sent to your browser by a website you visit. We use both necessary and non-necessary cookies on our website. Some cookies are necessary for the website to function as it should, while other cookies, which are aimed at analysis or marketing, require your consent for us to place. With the help of cookies, with your consent, our websites can also remember and recognize you and offer you an easier and better experience of our website and services. You can read more about our use of cookies in our cookie-policy.

Our processing of your personal data

Personal data we process and the source

The table below outlines the types of personal data we process regarding customers, users of our service and in our marketing and sales process and specifies the source of this data, i.e., where the data has been collected. Personal data we process only if your company constitutes a sole proprietorship is marked with *.

Personal data	Source
Personal data Contact and identification details - such as name, address, email address, telephone number, personal identity number, nationality and title.	Source From you or the company where you are employed. For marketing purposes, we may collect some information from social media and other external sources (such as public web sites)
Personal data Communication information - the communication you have with us regarding our existing or future business relationship and the billing service we provide. Bank details* - bank account or giro number.	Source From you
Personal data Case details - information about cases we handle, e.g. when you contact our customer support department or in the context of the investigations we sometimes need to carry out to fulfil the anti money laundering and terrorism financing regulations. Payment and billing information* - such as specification of the service you purchase from us, details of payment terms, current receivables or liabilities, OCR number and amount. Usage information - information about how you use our billing and payment service or how you navigate on our website.	Source Generated by Billogram
Personal data AML/CTF & sanction screening information - Information we need to have about you to fulfill our obligations with regards to anti-money laundering and counter terrorism financing which is not covered by any other category, such as citizenship, birth date and PEP/RCA status (Politically Exposed Persons or relative to such a person)	Source From you or external sources
Personal data Device details - such as version of operating system, IP address or other unique identification of a computer, mobile phone or other device used to use the service.	Source From your device

How your personal data is processed

The sections below sets out how we are processing personal data for customers, users and in our marketing activities. In each section you find information on the personal data we process and for what purpose, the lawful basis for our processing, when the purpose of the processing ceases and, if possible and relevant, the basis for the assessment of the storage period (in brackets).

Customers - representatives

This section describes our personal data processing applicable for you who represent a company which is a customer of ours, such as the contact person for our customer relationship, authorised signatory or a beneficial owner in accordance with anti money laundering and terrorism financing regulations.

Purpose	Personal data	Lawful basis	When the purpose ceases
Purpose To provide customer service in accordance with the agreement	Personal data Contact and identification details, Communication information, Case details	Lawful basis Our legitimate interest to provide service to our customers	When the purpose ceases When your employment at the company in question ceases or 1 year after the contract between your company and Billogram expires(the time we deem necessary to handle follow up on our customer relationship)
Purpose To protect Billogram from legal claims and exercise Billogram’s legal rights	Personal data Contact and identification details, Communication information, Case details	Lawful basis Our legitimate interest to be able to protect ourselves from legal claims and exercise our rights	When the purpose ceases 10 years after termination of the contract in accordance with the current limitation period (Swedish Act on Limitation)
Purpose To compile bookkeeping and accounting data in accordance with accounting laws, as well as the retention of such data in accordance with applicable law	Personal data Contact and identification details	Lawful basis Legal obligation - Swedish Bookkeeping Act (1999:1078)	When the purpose ceases 7 years after the end of the calendar year in which the data was recorded (regulatory requirement)
Purpose To prevent, discover, investigate andreport potential money laundering andterrorism financing	Personal data Contact and identification details, AML/CTF & sanction screening information, Case details	Lawful basis Legal obligation - Swedish Act (2017:630) on measures against money laundering and financing of terrorism	When the purpose ceases Minimum five years and up to ten years from the completed transaction or from the customer contract ceased (regulatory requirement)
Purpose To perform sanctions screening to detect,prevent, manage, and mitigate financialcrime risks	Personal data Contact and identification details, AML/CTF & sanction screening information, Case details	Lawful basis Sanctions legislation issued by the EU and, UN: Legal obligationSanctions legislation issued by OFAC*:Our legitimate interest to ensure that we do not provide service to any party registered on sanction lists.	When the purpose ceases When the company you represent are no longer a customer of Billogram or, if an errand arises, five years after the errand is handled (the time we deem necessary to be able to prove our compliance with sanction regulations).
Purpose To manage complaints	Personal data Contact and identification details, Communication information, Case details	Lawful basis Legal obligation (The Swedish Payment Services Act)	When the purpose ceases 2 years after the complaint has been handled (the time we deem necessary to be able to follow up on incoming complaints)

*OFAC is a U.S. agency that establishes sanction lists similar to the EU and UN, which Billogram is obligated to adhere to.

Customers - sole proprietorship

This section describes our personal data processing applicable for you who runs a sole proprietorship which is a customer of ours.

Purpose	Personal data	Lawful basis	When the purpose ceases
Purpose To provide customer service in accordance with the agreement	Personal data Contact and identification details, Communication information, Case details	Lawful basis Contract	When the purpose ceases 1 year after the contract between your company and Billogram expires(the time we deem necessary to handle follow up on our customer relationship)
Purpose To execute transactions within our payment service operations	Personal data Contact and identification details, Bank details, Payment and billing information	Lawful basis ContractLegal obligation - Swedish Payment Service Act (2010:751)	When the purpose ceases 5 years after the payment is made (regulatory requirement)
Purpose To protect Billogram from legal claims and exercise Billogram’s legal rights	Personal data Contact and identification details, Bank details, Communication information, Payment and billing information, Case details	Lawful basis Our legitimate interest to be able to protect ourselves from legal claims and exercise our rights	When the purpose ceases 10 years after termination of the contract in accordance with the current limitation period (Swedish Act on Limitation)
Purpose To compile bookkeeping and accounting data in accordance with accounting laws, as well as the retention of such data in accordance with applicable law	Personal data Contact and identification details, Bank details, Payment and billing information	Lawful basis Legal obligation - Swedish Bookkeeping Act (1999:1078)	When the purpose ceases 7 years after the end of the calendar year in which the data was recorded (regulatory requirement)
Purpose To prevent, discover, investigate andreport potential money laundering andterrorism financing	Personal data Contact and identification details, AML/CTF & sanction screening information, Payment and billing information, Usage information, Case details	Lawful basis Legal obligation - Swedish Act (2017:630) on measures against money laundering and financing of terrorism	When the purpose ceases Minimum five years and up to ten years from the completed transaction or from the customer contract ceased. (regulatory requirement)
Purpose To perform sanctions screening to detect,prevent, manage, and mitigate financialcrime risks	Personal data Contact and identification details, Case details	Lawful basis Sanctions legislation issued by the EU and, UN: Legal obligation Sanctions legislation issued by OFAC*:Our legitimate interest to ensure that we do not provide service to any party registered on sanction lists.	When the purpose ceases When your company no longer is a customer of Billogram, or, if an errand arises, five years after the errand is handled (the time we deem necessary to be able to prove our compliance with sanction regulations).
Purpose To manage complaints	Personal data Contact and identification details, Communication information, Payment and billing information, Case details	Lawful basis Legal obligation (The Swedish Payment Services Act)	When the purpose ceases 2 years after the complaint has been handled (the time we deem necessary to be able to follow up on incoming complaints)

*OFAC is a U.S. agency that establishes sanction lists similar to the EU and UN, which Billogram is obligated to adhere to.

User

This section describes our personal data processing for you who are a registered user of our service.

Purpose	Personal data	Lawful basis	When the purpose ceases
Purpose To provide billing service to you as a user	Personal data Contact and identification details	Lawful basis Contract	When the purpose ceases When you are deregistered as a user of our service
Purpose To ensure functionality and security of the billing service	Personal data Device details,Contact and identification details	Lawful basis ContractLegitimate interestOur legitimate interest is that we need to ensure that our service is not used for fraudulent purposes	When the purpose ceases When you are deregistered as a user of our service or 3 years after a specific case has been registered in our service (the time we deem necessary to be able to troubleshoot registered errands)
Purpose To provide support regarding our billing service	Personal data Contact and identification details, Communication information,Case details	Lawful basis Contract	When the purpose ceases 2 years after the end of the calendar year in which the errand was handled (the time we deem necessary to be able to follow up on incoming errands)

Marketing

This section describes our personal data processing for you who visit our website or are a contact person for a company which we have a marketing contact with.

Purpose	Personal data	Lawful basis	When the purpose ceases
Purpose To promote our billing service	Personal data Contact and identification details,Communication information	Lawful basis Our legitimate interest to market our services	When the purpose ceases 2 years after we are no longer in contact for sales or marketing purposes
Personal data Usage information	Lawful basis Consent	When the purpose ceases When you withdraw your consent

Processors we share your personal data with

To fulfil the purposes described above we may share your personal data with other parties. In the table below, we indicate the data processors we may share your personal data with.

Data processor	Instruction (application area)	Processing region	Lawful basis for third country transfer
Data processor Amazon Web Services (AWS)	Instruction (application area) Platform hosting and storage	Processing region EU/EEA	Lawful basis for third country transfer N/A
Data processor Atlassian (Jira)	Instruction (application area) Case and project management	Processing region EU/EEAUSA	Lawful basis for third country transfer Adequacy decision
Data processor Google	Instruction (application area) Storage, communication and analytics	Processing region EU/EEAUSA	Lawful basis for third country transfer Adequacy decision
Data processor Salesforce	Instruction (application area) Customer relationship management system	Processing region EU/EEAUSA	Lawful basis for third country transfer Adequacy decision
Data processor The Rocket Science Group (Mailchimp)	Instruction (application area) Communication	Processing region USA	Lawful basis for third country transfer Adequacy decision
Data processor Softronic (CM1)	Instruction (application area) System for sanction screening, and anti money laundering and counter terrorism financing measures	Processing region EU/EEA	Lawful basis for third country transfer N/A
Data processor Slack	Instruction (application area) Communication	Processing region EU/EEAUSA	Lawful basis for third country transfer Adequacy decision
Data processor Zendesk	Instruction (application area) System for management of support cases	Processing region EU/EEAUSA	Lawful basis for third country transfer Adequacy decision

Your rights

According to the GDPR, you have several rights that you should be aware of. You can invoke any of your rights by contacting us through the contact channels below. Within the framework of our processing of your personal data, you have the following rights:

You have the right to request a record extract of the information recorded about you.
If the data we hold on you is incorrect, you have the right to have it corrected.
You have the right to have your personal data deleted provided that we do not have to process it for the purposes for which it was collected, for example to perform a contract we have with you or where we have a legal obligation to continue processing the data.
If you believe that the data is incorrect or that our processing is unlawful or that we do not need the data for a specific purpose, you may request that we restrict the processing of data about you. You can also request restriction of processing while awaiting verification from us as to whether our interest in processing your data outweighs your right not to have this data processed.
If we indicate legitimate interest as a lawful basis, you have the right to object to the processing.
The right to data portability means that in some cases where the lawful basis is a contract or consent, you have the right to receive your personal data and use your personal data elsewhere.
If you believe that the processing of your personal data is in violation of GDPR, you have the right to make a complaint by contacting the Swedish Authority for Privacy Protection.

Contact details and Data Protection Officer

If you have questions about how we process your personal data or wish to invoke any of your rights, you can always contact us at support@billogram.com.

You can also contact our Data Protection Officer at dpo@billogram.com.

If you prefer to contact us by post, our postal address is:

Billogram AB

Klara Södra Kyrkogata 1

SE-111 52 Stockholm

Sweden

Privacy notice updates

This privacy notice may be updated due to changes in legislation or changes in our personal data processing as a result of the development of our services.

The latest version is always published here on our website.

This version was updated on 2024-11-11.